Data security in a disconnected environment

ABSTRACT

Systems and methods are provided for the detection and prevention of intrusions in data at rest systems such as file systems and web servers. The systems and methods regulate access to sensitive data with minimal dependency on a communications network. Data access is quantitatively limited to minimize the data breaches resulting from, e.g., a stolen laptop or hard drive.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.11/906,077, filed Sep. 27, 2007, now U.S. Pat. No. 8,826,449, which isincorporated by reference in its entirety. This application is alsorelated to, but does not claim priority to, U.S. patent application Ser.No. 11/540,467, filed Sep. 29, 2006, now issued as U.S. Pat. No.7,594,266, which in turn claims priority to U.S. patent application Ser.No. 11/510,185, filed Aug. 25, 2006, now issued as U.S. Pat. No.7,305,707, which in turn claims priority under 35 U.S.C. §119 toEuropean application number EPC 01127906.4, filed Nov. 23, 2001. Theentire contents of each of these references are incorporated byreference herein.

TECHNICAL FIELD

The present invention generally relates to systems and methods of dataprotection in disconnected environments.

BACKGROUND INFORMATION

In database security, it is a known problem to avoid attacks frompersons who have access to a valid user-ID and password. Such personscannot be denied access by the normal access control system, as they arein fact entitled to access to a certain extent. Such persons can betempted to access improper amounts of data, by-passing the security.Several solutions to such problems have been suggested and are discussedbelow.

I. Network-Based Detection

Network intrusion monitors are attached to a packet-filtering router orpacket sniffer to detect suspicious behavior on a network during thesuspicious behavior. The router or sniffer looks for signs that: anetwork is being investigated for attack with a port scanner; users arefalling victim to known traps like url or .lnk; or the network isactually under an attack such as through SYN flooding or unauthorizedattempts to gain root access (among other types of attacks). Based onuser specifications, these monitors can then record the session andalert the administrator or, in some cases, reset the connection. Someexamples of such tools include NetRanger and Cisco Secure IntrusionDetection System available from Cisco Corporation of San Jose, Calif.and RealSecure® available from Internet Security Systems, Inc. (ISS) ofAtlanta, Ga. as well as some public domain products like Klaxon,available at ftp://ftp.eng.auburn.edu/pub/doug/, that focus on anarrower set of attacks.

II. Server-Based Detection

Server-based detection tools analyze log, configuration and data filesfrom individual servers as attacks occur, typically by placing some typeof agent on the server and having the agent report to a central console.An example of these tools public domain tools that perform a muchnarrower set of functions is Tripwire®, available athttp://sourceforge.net/projects/tripwire/, which checks data integrity.Tripwire® will detect any modifications made to operating systems oruser files and send alerts to ISS's RealSecure® product. The RealSecure®product will then conduct another set of security checks to monitor andcombat any intrusions.

III. Security Query and Reporting Tools

Security query and reporting tools query network operating system (NOS)logs and other related logs for security events and/or glean logs forsecurity trend data. Accordingly, these tools do not operate inreal-time and rely on users providing the right questions of the rightsystems. For a typical example, a query might be how many failedauthentication attempts have occurred on certain NT servers in the pasttwo weeks.

IV. Inference Detection

A variation of conventional intrusion detection is detection of specificpatterns of information access known as inference detection. Inferencedetection is deemed to signify that an intrusion is taking place, eventhough the user is authorized to access the information. A method forsuch inference detection, i.e., a pattern oriented intrusion detection,is disclosed in U.S. Pat. No. 5,278,901 to Shieh et al., which isincorporated herein by reference.

None of these solutions are however entirely satisfactory. A primarydrawback is that each solution concentrates on already effected queries,providing at best an information that an attack has occurred.

Moreover, the above solutions presume a networked environment. While,such environments are becoming increasingly ubiquitous, numeroussituations still exist where access to sensitive data must be regulatedwithout persistent and/or frequent access to networked security devices.For example, employees may need access to databases while traveling andwithout network access. While the replication of a database to a laptopis easily accomplished, protection of the data is critical, asdemonstrated by recent well-publicized security breaches involving lostor stolen laptops.

Furthermore, reliance on networked security devices introduces a pointof failure, which may unacceptable in some situations. For example,while a retail store's cash registers may be networked, the cashregisters should still be able to operate and access resources such ascustomer databases in the event of a network disruption.

Finally, it may be desirable to distribute intrusion detection analysisto the client level for greater performance.

SUMMARY OF THE INVENTION

The invention relates, but is not necessarily limited, to protectingdata in a disconnected environment.

One embodiment of the invention is directed to a method for dataprotection comprising receiving a request for data encrypted with anencryption key, granting the request if an indicator value is within athreshold, and modifying the indicator value. This embodiment may have avariety of features. For example, advancing the indicator value maycomprise modifying the indicator value by one. Advancing the indicatorvalue may comprise modifying the indicator value for each record in therequest. Advancing the indicator value may comprise modifying theindicator value for each record in a result of the request.

The method may further include denying the request if the indicatorvalue exceeds the threshold. The method may also include receivinginstructions from an access control system to modify the indicatorvalue. The method may include receiving instructions from an accesscontrol system to modify the threshold. The method may also includenotifying the access control system of the indicator value and/ornotifying the access control system that the indicator value exceeds thethreshold.

Other variations of the above embodiment may include prompting a user toconnect to a network if the indicator value exceeds the threshold. Themethod may include sending information on data requests to the accesscontrol system. The indicator value may be specific to the encryptionkey.

The request may be a request to move the data from a first location to asecond location, a request to move the data from a first application toa second application and/or a request to print the data. Furthervariations may include reencrypting the data and/or masking the data.

Another embodiment of the invention is directed to a method for dataprotection comprising receiving an intrusion detection profile from anaccess control system, receiving a request for data in a data at restsystem from the user, determining whether a result of said requestcauses the user to violate at least one item access rule defined in theintrusion detection profile associated with the user, and denying therequest if at least one item access rule is violated. The profileincludes at least one item access rule, wherein a user is associatedwith the intrusion detection profile.

The above embodiment can have a variety of features. For example, themethod may include notifying the access control system if at least oneitem access rule is violated. The method may also include accumulatingresults from performed requests and determining whether the accumulatedresults violate any one of said at least one item access rule. The itemaccess rules may be selected from the group of a rule that limits accessto the data at rest system at certain defined dates and times, a rulethat prohibits access to the data at rest system, a rule that limits theuser's ability to run a query at certain defined dates and times and arule that prohibits the user from running a query.

The intrusion detection profile may also include at least one inferencepattern. The method may further include accumulating results fromperformed previous requests to an item, comparing the received requestwith at least one inference pattern in order to determine whether acombination of accesses to the item match said inference pattern, anddenying the received request if a combination of accesses in the recordmatch at least one inference pattern. At least one of said at least oneinference pattern may be a Bayesian inference pattern.

Another embodiment is directed to a computer-readable medium whosecontents cause a computer to perform a method for data protectioncomprising receiving a request for data encrypted with an encryptionkey, granting the request if an indicator value is less than athreshold, and advancing the indicator value.

Another embodiment is directed to a computer-readable medium whosecontents cause a computer to perform a method for data protectioncomprising receiving an intrusion detection profile from an accesscontrol system, receiving a request for data in a data at rest systemfrom the user, determining whether a result of said request causes theuser to violate at least one item access rule defined in the intrusiondetection profile associated with the user, and denying the request ifat least one item access rule is violated. The profile includes at leastone item access rule, wherein a user is associated with the intrusiondetection profile.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings generally are to illustrate principles of the inventionand/or to show certain embodiments according to the invention. Thedrawings are not necessarily to scale. Each drawing is briefly describedbelow.

FIG. 1 is a diagram showing a network environment for data at restsystems such as databases and file servers in accordance with anembodiment of the subject technology.

FIG. 2 is a flow diagram illustrating a method in accordance with anembodiment of the subject technology.

FIG. 3 is a diagram showing another embodiment of inventions describedherein in which a data at rest system and a security module reside on aremote system.

DESCRIPTION

The present invention overcomes many of the prior art problemsassociated with detecting and preventing intrusions in data at restsystems. The advantages, and other features of the methods and systemsdisclosed herein, will become more readily apparent to those havingordinary skill in the art from the following detailed description ofcertain preferred embodiments taken in conjunction with the drawingswhich set forth representative embodiments of the present invention.

Unless otherwise specified, the illustrated embodiments can beunderstood as providing exemplary features of varying detail of certainembodiments, and therefore, unless otherwise specified, features,components, modules, elements, and/or aspects of the illustrations canbe otherwise combined, interconnected, sequenced, separated,interchanged, positioned, and/or rearranged without materially departingfrom the disclosed systems or methods. Additionally, the shapes andsizes of components are also exemplary and unless otherwise specified,can be altered without materially affecting or limiting the disclosedtechnology.

Referring now to FIG. 1, an environment 100 contains a database 102,servers 106, and clients, trusted 108 and untrusted 116. For simplicity,only one database 102, two servers 106, one trusted client 108 and twountrusted clients 116 are shown. The database 102, servers 106, andtrusted client 108 are connected via a distributed computing network 104via communication channels, whether wired or wireless, as is known tothose of ordinary skill in the pertinent art. The distributed computingnetwork 104 may be one or more selected from the group: LAN, WAN,Internet, Intranet, Virtual Private Network, Ethernet and the like nowknown and later developed. While represented schematically as part of aseparate entity or enterprise 118 in FIG. 1, a database 102 may besoftware or hardware integrated with a computer such as a server 106 orclients 108, 116.

The enterprise 118 is connected to the untrusted clients 116 via anetwork 112 such as the Internet. To control access to the network 104,a firewall 110 governs communication between the networks 104, 112.Firewalls 110 are well-known to those of ordinary skill in the art and,thus, not further described herein.

The servers 106 can be one or more servers known to those skilled in theart that are intended to be operably connected to a network so as tooperably link to a plurality of clients 106, 108, and 116 via thedistributed computer network 104. As illustration, the server 106typically includes a central processing unit including one or moremicroprocessors such as those manufactured by Intel or AMD, randomaccess memory (RAM), mechanisms and structures for performing I/Ooperations, a storage medium such as a magnetic hard disk drive(s), andan operating system for execution on the central processing unit. Thehard disk drive of the servers 106 may be used for storing data, clientapplications and the like utilized by client applications. The hard diskdrives of the server 106 also are typically provided for purposes ofbooting and storing the operating system, other applications or systemsthat are to be executed on the servers 106, paging and swapping betweenthe hard disk and the RAM.

It is envisioned that the server 106 can utilize multiple servers incooperation to facilitate greater performance and stability of thesubject invention by distributing memory and processing as is wellknown. For reference, see, for example, U.S. Pat. No. 5,953,012 toVenghte et al. and U.S. Pat. No. 5,708,780 to Levergood et al.

The plurality of clients 108, 116 can be desktop computers, laptopcomputers, personal digital assistants, cellular telephones and the likenow known and later developed. The clients 108, 116 can have displays aswill be appreciated by those of ordinary skill in the pertinent art. Thedisplay may be any of a number of devices known to those skilled in theart for displaying images responsive to outputs signals from thecomputers 108, 116. Such devices include, but are not limited to,cathode ray tubes (CRT), liquid crystal displays (LCDs), plasma screensand the like. Although a simplified diagram is illustrated in FIG. 1such illustration shall not be construed as limiting the presentinvention to the illustrated embodiment. It should be recognized thatthe signals being output from the computer can originate from any of anumber of devices including PCI or AGP video boards or cards mountedwithin the housing of the clients 108, 116 that are operably coupled tothe microprocessors and the displays thereof.

The clients 108, 116 typically include a central processing unitincluding one or more micro-processors such as those manufactured byIntel or AMD, random access memory (RAM), mechanisms and structures forperforming I/O operations (not shown), a storage medium such as amagnetic hard disk drive(s), a device for reading from and/or writing toremovable computer readable media and an operating system for executionon the central processing unit. According to one embodiment, the harddisk drive of the clients 108, 116 is for purposes of booting andstoring the operating system, other applications or systems that are tobe executed on the computer, paging and swapping between the hard diskand the RAM and the like. In one embodiment, the application programsreside on the hard disk drive for performing the functions in accordancewith the transcription system. In another embodiment, the hard diskdrive simply has a browser for accessing an application hosted withinthe distributed computing network 104. The clients 108, 116 can alsoutilize a removable computer readable medium such as a CD or DVD type ofmedia that is inserted therein for reading and/or writing to theremovable computer readable media.

The servers and clients typically include an operating system to managedevices such as disks, memory and I/O operations and to provide programswith a simpler interface to the hardware. Operating systems include:Unix®, available from the X/Open Company of Berkshire, United Kingdom;FreeBSD, available from the FreeBSD Foundation of Boulder, Colo.:Linux®, available from a variety of sources; GNU/Linux, available from avariety of sources; POSIX®, available from IEEE of Piscataway, N.J.;OS/2®, available from IBM Corporation of Armonk, N.Y.; Mac OS®, Mac OSX®, Mac OS X Server®, all available from Apple Computer, Inc. ofCupertino, Calif.; MS-DOS®, Windows®, Windows 3.1®, Windows 95®, Windows2000®, Windows NT®, Windows XP®, Windows Server 2003®, Windows Vista®,all available from the Microsoft Corp. of Redmond, Wash.; and Solaris®,available from Sun Microsystems, Inc. of Santa Clara, Calif. Seegenerally Andrew S. Tanenbaum, Modem Operating Systems (2d ed. 2001).Operating systems are well-known to those of ordinary skill in thepertinent art and, thus, not further described herein.

The file system may implement one or more file systems to handle howdisks and other storage means are “structured, named, accessed, used,protected and implemented.” Ibid. Examples of file systems include:ext2, ext3 and XFS, implemented as part of various Linux flavors;ReiserFS and Reiser4, both supported for GNU/Linux; Google File System,produced by Google Inc. of Menlo Park, Calif.; and FAT, FAT12, FAT16,FAT32, NTFS, implemented as part of the Windows® operating systems byMicrosoft Corp. of Redmond, Wash.; HFS, HFS+, both implemented as partof Mac OS® by Apple Computer, Inc. of Cupertino, Calif. File systems arewell-known to those of ordinary skill in the pertinent art and, thus,not further described herein.

The environment also includes one or more sensors 120 and one or moreaccess control systems 122. The one or more sensors 120 may beimplemented as part of a server 106, a client 108, 116, a database 102or as a freestanding network component (e.g., as a hardware device). Thesensor 120 may be implemented with technology similar to the Defiance™TMS Monitor, available from Protegrity Corp. of Stamford, Conn.Preferably, the one or more sensors 120 implemented separately from anydata at rest systems, such as databases or file systems, in order tomonitor bidirectional data flows in the network.

The access control system 122 may be any system or apparatus capable ofproducing an intrusion detection profile. The access control system 122may be implemented in many ways including, but not limited to,embodiment in a server 106, a client 108, 116, a database 102 or as afreestanding network component (e.g., as a hardware device). In apreferred embodiment, the access control system 122 is part of theSecure.Data™ server, available from Protegrity Corp. of Stamford, Conn.The access control system 122 continually monitors user activity, andprevents a user from accessing data that the user is not cleared for.This process is described in detail in WO 97/49211, hereby incorporatedby reference.

The flow charts illustrated herein represent the structure or the logicof methods for an embodiment of a computer program according to theinvention. The program is preferably executed in the environment 100.The flow charts illustrate the structures and functions of the computerprogram code elements (which could instead be implemented entirely orpartially as one or more electronic circuits). As such, the presentdisclosure may be practiced in its essential embodiments by a machinecomponent that renders the program code elements in a form thatinstructs a digital processing apparatus (e.g., computer) to perform asequence of function steps corresponding to those shown in the flowcharts. The software and various processes discussed herein are merelyexemplary of the functionality performed by the disclosed technology andthus such processes and/or their equivalents may be implemented incommercial embodiments in various combinations and quantities withoutmaterially affecting the operation of the disclosed technology.

Referring now to FIG. 2, there is illustrated a flowchart 200 depictinga process for detecting and preventing intrusion in a data at restsystem. A data at rest system, such as a file system or web server,stores information in a durable manner and is to be distinguished from adatabase.

At step S202, the access control system 122 distributes intrusiondetection profiles to the one or more sensors 120. As will be discussedbelow, the profiles are created protect data stored within an intranet118.

An intrusion detection profile may exist in many forms including, butnot limited to, plain text, mathematical equations and algorithms. Theprofile may contain one or more item access rules. Each item access rulemay permit and/or restrict access to one or more resources. A rule mayapply generally to all users, or the rule may apply to specific users,groups, roles, locations, machines, processes, threads and/orapplications. For example, system administrators may be able to accessparticular directories and run certain applications that general userscannot. Similarly, some employees may be completely prohibited fromaccessing one or more servers or may have access to certain servers, butnot certain directories or files.

Furthermore, rules may vary depending on the date and time of a request.For example, a backup utility application may be granted access to aserver from 1:00 AM until 2:00 AM on Sundays to perform a backup, butmay be restricted from accessing the server otherwise. Similarly, anemployee may have data access privileges only during normal businesshours.

Additionally, the rules need not simply grant or deny access, the rulesmay also limit access rates. For example, an employee may be grantedaccess to no more than 60 files per hour without manager authorization.Such limitations may also be applied at more granular levels. Forexample, an employee may have unlimited access to a server, but belimited to accessing 10 confidential files per hour.

Rules may also grant, prohibit and/or limit item access for a particulartype of network traffic. Item access rules may discriminate betweenvarious types of network traffic using a variety of parameters as isknown to one of ordinary skill in the art including, but not limited to,whether the traffic is TCP or UDP, the ISO/OSI layer, the contents ofthe message and the source of the message.

These types of item access rules, as well as other rules known to thoseskilled in the art now or in the future, may be implemented in isolationor in combination. For example, an employee in a payroll departmentmight be granted increased access to timesheet files on Mondays in orderto review paychecks before releasing information to the company's bank.This same employee might have less access from Tuesday through Sunday.

In some embodiments, data intrusion profiles may be fashioned by anentity such as the access control system 122 or an administrator toreflect usage patterns. For example, an employee, who during the courseof a previous year never accesses a server after 7:00 PM, may beprohibited from accessing the database at 8:15 PM as this may beindicative of an intrusion either by the employee or another person whohas gained access to the employee's login information.

Still referring to FIG. 2, at step S204, a request for access to thedata at rest system 102 is received. This request may come from avariety of sources (referred herein to as a “requestor”) including, butnot limited to, servers 106 and clients 108, 116. The request may be fordata including, but not limited to, file(s), record(s), image(s), audiofile(s), video file(s), object(s), software component(s), web page(s)and application(s). The request also may be for a system resourceincluding, but not limited to, process(es), thread(s), clock cycles,network connection(s), network service(s), disk space, memory and bandwidth. The request may occur in a variety of ways including, but notlimited to, a database query, a system call, an interrupt, an exceptionand a CORBA request.

At step S206, a result is generated for the request by executing therequest, as is known to those of skill in the art. For example, if therequest is wild card search, the request is executed against theappropriate server. It is noted that executing the request may beomitted in some circumstances, particularly where the requestconstitutes a per se violation of an item access rule. An example ofsuch a violation might be requesting all mechanical drawings for aproject that an engineer is not working on. Omitting step S206 in thesecases avoids a waste of system resources in responding to inappropriaterequests.

At step S208, the request and/or the result are analyzed against the oneor more item access rules. If the request and/or result does not violatean item access rule, control passes to step S212 in which the result iscommunicated to the requestor via the appropriate technology for therequest as known by persons of ordinary skill in the art. If the requestdoes violate an item access rule, control passes to step S210 in whichthe access control system 122 is notified of the violation.

Item access rules may be further refined to limit or prohibit access tomarked items in a data at rest system. The rules limiting access couldbe similar to the item access rules described herein, but would apply inwhole or in part to marked items, as opposed to all items in the data atrest system. Marked items could include any item capable of storage indata at rest systems including, but not limited to, files, images, soundrecording and videos. Marked items could be identified in many ways asis known to one of ordinary skill in the art. Examples of such means ofidentification include, but are not limited to: inclusion of a flag infile attributes; naming conventions; and the creation of a list ordatabase listing marked items. Certain marked items (e.g., security logfiles) may be so sensitive that any attempts to access the file shouldautomatically trigger intrusion detection. Such intrusion detection mayinclude a variety of components that will vary based on a particularimplementation of the invention and procedures of the organization usingan embodiment of the invention.

Examples of intrusion detection procedures may include, but are notlimited to writing a log, modifying one or more item access rules toplace restrictions or prohibition on access to one or more resources fordefined period of time or until an administrator restores access,alerting one or more administrators of a potential intrusion, alteringone or more intrusion detection profiles and/or item access rules,altering a security level, shutting down one or more data at restsystems, commencing analysis of historical data access records andcommencing inference analysis. Analysis of historical data accessrecords may employ methods and/or systems for the compilation of accessrecords, computations of statistics based on the records, and/orpresentation of the records and statistics. The presentation of therecords and statistics may include textual, pictorial and/or graphicalelements.

Inference analysis may include the use of data mining and machinelearning technologies and techniques such as Bayes' theorem. Forexample, anti-spam filters are becoming increasingly sophisticated, withaccuracy rates in the high 90 percent being the norm. The best solutionscombine Bayesian filtering and content inspection. Most use somecombination of Bayesian filtering and content analysis along withwhitelists and blacklists. The content filtering will inspect theaccessed data element over time and the relation to sensitive dataelement. As a general rule, accuracy improves when inspection is movedfarther away from the desktop and closer to the server.

Bayes' theorem is a facet of probability theory that relates theconditional and marginal probability distributions of random variables.The goal of the inference analysis is to detect patterns and developheuristics or algorithms that predict intrusions. In machine learningimplementations, such as spam filtering or detecting intrusions, Bayes'theorem is instructive on how to update or revise beliefs a posterioriin light of new evidence.

The goal of inference is typically to find the distribution of a subsetof the variables, conditional upon some other subset of variables withknown values (the evidence), with any remaining variables integratedout. This is known as the posterior distribution of the subset of thevariables given the evidence. The posterior gives a universal sufficientstatistic for detection applications, when one wants to choose valuesfor the variable subset which minimize some expected loss function, forinstance the probability of decision error. A Bayesian network can thusbe considered a mechanism for automatically constructing extensions ofBayes' theorem to more complex problems. The most common exact inferencemethods are variable elimination which eliminates (by integration orsummation) the non-observed non-query variables one by one bydistributing the sum over the product, clique tree propagation whichcaches the computation so that the many variables can be queried at onetime and new evidence can be propagated quickly, and recursiveconditioning which allows for a space-time tradeoff but still allowingfor the efficiency of variable elimination when enough space is used.All of these methods have complexity that is exponential in tree width.The most common approximate inference algorithms are stochastic MCMCsimulation, mini-bucket elimination which generalizes loopy beliefpropagation, and variational methods.

In order to fully specify the Bayesian network and thus fully representthe joint probability distribution, it is necessary to further specifyfor each node X the probability distribution for X conditional upon X'sparents. The distribution of X conditional upon its parents may have anyform. It is common to work with discrete or Gaussian distributions sincethat simplifies calculations. Sometimes only constraints on adistribution are known; one can then use the principle of maximumentropy to determine a single distribution, the one with the greatestentropy given the constraints. (Analogously, in the specific context ofa dynamic Bayesian network, one commonly specifies the conditionaldistribution for the hidden state's temporal evolution to maximize theentropy rate of the implied stochastic process.)

Often these conditional distributions include parameters which areunknown and must be estimated from data, sometimes using the maximumlikelihood approach. Direct maximization of the likelihood (or of theposterior probability) is often complex when there are unobservedvariables. A classical approach to this problem is theexpectation-maximization algorithm which alternates computing expectedvalues of the unobserved variables conditional on observed data, withmaximizing the complete likelihood (or posterior) assuming thatpreviously computed expected values are correct. Under mild regularityconditions this process converges on maximum likelihood (or maximumposterior) values for parameters. A more fully Bayesian approach toparameters is to treat parameters as additional unobserved variables andto compute a full posterior distribution over all nodes conditional uponobserved data, then to integrate out the parameters. This approach canbe expensive and lead to large dimension models, so in practiseclassical parameter-setting approaches are more common.

Embodiments of the invention implementing Bayesian inferences may beginwith predefined rules and/or beliefs regarding user behaviors.Information is gathered from users' requests. As discussed herein, theserequests are evaluated against said rules and beliefs. If a requestviolates a rule or conforms to a belief that the request constitutes anintrusion, the request is denied. Beliefs may be expressedprobabilistically, i.e. instead of predicting whether a requestconstitutes an intrusion or not, embodiments of the invention herein mayproduce probabilities that a request constitutes an intrusion. Theseprobabilities may be blended with other probabilities produced throughother statistical methods as is well known to those of ordinary skill inthe art. See, e.g., Lin, U.S. Patent Application Publication Number2004/0267893, which is incorporated herein by reference.

Embodiments of the invention utilize outside knowledge to revise beliefsand rules. For example, if a manager requests several documents for aproject that she is not affiliated with, embodiments of the inventionherein may deny access to the files. The manager may, in turn, contact ahelpdesk or other system administrator to justify her need for thefiles. Assuming that the need is legitimate, the helpdesk oradministrator may modify classification of the request as not anintrusion. The invention, in turn, will be less likely to classifysimilar requests by similar users as an intrusion in the future.

In embodiments of the invention configured to prevent intrusion in afile system, the item access rule may limit the number or read and/orwrite requests that may be processed by a user and/or a group of usersin one or more files, one or more directories, one or more serversand/or the entire file system. Additionally, item access rules may limitthe number of files and/or volume of data that may be accessed by a useror group of users in one or more files, one or more directories, one ormore servers and/or the entire file system. Embodiments of the inventiondescribed herein may be implemented for a variety of file systemsincluding but not limited to those described herein.

In some embodiments of the invention, inference patterns and analysis asdescribed herein are included in intrusion detection policies. Aviolation of a inference pattern may result in the access control system122 restricting access to the data at rest system that the requestor isattempting to access and may also restrict access to additional systemsincluding, but not limited to, file system(s), database(s),application(s) and network(s). As described herein, the inferencepatterns and analysis may include Bayesian inference.

Various embodiments of the invention may produce a scorecard. Thescorecard may contain information gathered by sensors 120 and the accesscontrol system 122 as well as information from log files including, butnot limited to, violation attempts, session statistics and data accessstatistics. The scorecard may be presented in many formats including,but not limited to, textual, pictorial, graphical and in electronicformat, such as a webpage. The scorecard may show data access statisticswith respect to an entity including, but not limited to, user,application, database, query and column. The scorecard may also includea metric to represent the severity of a threat. In computing the metric,item requests may be given varying weights depending on the sensitivityof the data.

Embodiments of the invention include a system including an accesscontrol manager 122 and one or more sensors 120 as depicted in FIG. 1.The access control manager 122 promulgates item access rules anddistributes the item access rules to the one or more sensors 120. Theone or more sensors 120 detect violations of item access rules andreport the violations to the access control manager 122. In response toa violation, the access control manager 122 may adjust one or more itemaccess rules for user(s), groups(s) and/or all users. The access controlsystem 122 also may adjust one or more item access rules for an item orchange the security policy, for example, by activating logging. Theaccess control system 122 may also adjust one or more item access rulewith regard to one or more types of network traffic. The sensors 120 maybe programmed to monitor traffic at a particular network layer. Forexample, one or more sensors may monitor traffic at ISO/OSI Layer 2,Layer 3 and/or Layer 7.

Embodiments of the invention also include methods of detecting intrusionin a data at rest system or a database. One or more sensors 120accumulate results from performed previous requests to an item. One ormore sensors 120 receive a request for data in a data at rest system ordatabase from a user. The sensor 120 compares the received request withat least one Bayesian inference pattern in order to determine whether acombination of accesses to the item match said inference pattern. If acombination of accesses to the item match said inference pattern, thesensor 120 notifies the access control system 122. This notificationcauses the access control system 122 to make the received request anunauthorized request before the result it transmitted to the user.

Referring now to FIG. 3, the principles described herein may be adaptedto reduce reliance on a distributed computing network 104 for datasecurity and intrusion detection. FIG. 3 depicts a system 300 having anaccess control system 122, a distributed computing network 104, and aremote system 302. The access control system 122 may be a stand-alonesystem consisting of hardware or hardware/software. Alternatively,access control system 122 may be a software module running on a serveror client as described herein. The remote system 302 may be any systemcontaining data, for example servers 106, and clients 108, 116. Asdepicted in FIG. 3, the remote system 302 includes a data at rest system304 and a security module 306. The data at rest system 304 may be anysystem for storing data as described herein.

The security module may 306 may be any system capable of processingrequests for data in the data at rest system 304. Examples of suitablesecurity modules 306 include DEFIANCE™ DPS and Secure.Data™ productsdistributed by Protegrity Corp. of Stamford, Conn. The network 104 maybe any network as described herein and may additionally be transient inthat the remote system 302 is minimally dependent on the network 104. Insome embodiments, the security module 306 is integrated at the operatingsystem level to intercept all requests for sensitive data. In otherembodiments, the security module 306 is integrated with specificdatabases and/or applications. For example, a plug-in for MicrosoftOffice® (e.g. a Primary Interop Assemblies API) may interact with theMicrosoft Office Object Model to regulate how sensitive data is utilizedonce it is imported into Microsoft Office®. Still other embodiments mayutilize both operating system level components and application plug-ins.

The operation of the security module 306 is described below in greaterdetail below. In some embodiments, the remote system 302 may beauthorized to perform a specified number (e.g., 1,000, 10,000, 100,000)of encryption transactions without communicating with the access controlsystem 122. A request for encrypted data in the data at rest system 302will be handled by security module 306. The security module 306 willdetermine if an indicator value is within a threshold and return therequested data if the value is below the threshold.

The security module 306 modifies the indicator value to reflect theaccess and/or access attempt. The indicator value may be increased insome embodiments, or may decrease in others. For example, the indicatorvalue may initially be zero and may be increased towards the thresholdof 1,000. Alternatively, the indicator value may be initially be 1,000and decreased to a threshold of zero.

The indicator value may be may be modified by one or another value foreach request for information. Alternatively, the indicator value may bemodified for each record returned by the request. For example, if aquery to a database returned five social security numbers, the indicatorvalue could be increased by five.

Using the Microsoft Office® plug-in example from above, the securitymodule 306 can be configured to regulate not only how much and/or whichsensitive data may be accessed, but also what may be done with accessedsensitive data. For example, the indicator value may be adjusted whensensitive data is imported in Microsoft Excel®. The indicator value maybe further adjusted when the sensitive data is copied from or withinMicrosoft Excel® or when the data is printed. In further embodiments,the security module 306 may encrypt or mask sensitive data that isprinted, cut, or copied from an application or database.

As designed, the remote system 302 will require periodic communicationswith the access control system 122 if a user is to enjoy uninterruptedaccess to sensitive data. Accordingly, the remote system 302 may beconfigured to contact the access control system 122 whenever a networkconnection exists, at a defined interval, when the indicator value iswithin a defined distance from the threshold, and/or when the indicatorvalue exceeds the threshold. The access control system 122 maycommunicate with the remote system 302 to modify the indicator valueand/or the threshold value.

In another embodiment, the remote system 302 may receive intrusiondetection profiles from the access control system 122 as describedabove. The intrusion detection profiles may include inference patternsas described herein.

In other embodiments, the remote system 302 may send information onrequests to the access control system 122. The remote system 302 mayonly send information on requests that are generated when a networkconnection exists or the remote system may store information on requeststo send when a network connection becomes available.

The functions of several elements may, in alternative embodiments, becarried out by fewer elements, or a single element. Similarly, in someembodiments, any functional element may perform fewer, or different,operations than those described with respect to the illustratedembodiment. Also, functional elements (e.g., modules, databases,computers, clients, servers and the like) shown as distinct for purposesof illustration may be incorporated within other functional elements,separated in different hardware or distributed in a particularimplementation.

What is claimed is:
 1. A computer-implemented method for data protectioncomprising: receiving a request at a client device from a user foraccess to a set of one or more data records encrypted with an encryptionkey and stored in a database comprising at least a plurality of datarecords; accessing by the client device a maintained count associatedwith the encryption key, the maintained count comprising a sum ofdatabase data records encrypted with the encryption key accessed by theuser while the client device is not communicatively coupled to asecurity system, wherein the security system is external to the clientdevice; responsive to a determination that a sum of the maintained countand a number of records in the requested set of records does not exceeda threshold stored at the client device, the threshold representing anumber of records encrypted with the encryption key that the user isauthorized to access while the client device is not communicativelycoupled to the security system: decrypting the set of data records;providing the set of decrypted data records to the user; andincrementing the maintained count responsive to providing the set ofdecrypted data records to the user by a number equal to a number ofrecords included in the provided set of decrypted data records; andresponsive to a determination that the sum of the maintained count andthe number of records in the requested set of records exceeds thethreshold, denying the received request for access to the set of datarecords.
 2. The method of claim 1, wherein denying the received requestcomprises prompting the user to connect the client device to thesecurity system.
 3. The method of claim 2, further comprising: receivinginstructions from the security system to reset the maintained count inresponse to the establishment of a connection between the client deviceand the security system; and resetting the maintained count in responseto the received instructions.
 4. The method of claim 2, furthercomprising: receiving instructions from the security system to modifythe threshold in response to the establishment of a connection betweenthe client device and the security system; and modifying the thresholdin response to the received instructions.
 5. The method of claim 4,wherein the request is received via a network layer, and wherein thethreshold is modified only for further requests received via the networklayer.
 6. The method of claim 1, further comprising: receiving a requestfrom the user to perform a number of operations on the provided datarecords; accessing by the client device a second maintained countcomprising a number of operations the user has performed on accesseddata records while the client device is not communicatively coupled tothe security system; responsive to a determination that the sum of thesecond maintained count and the number of requested operations does notexceed a second threshold stored at the client device representing anumber of operations the user is authorized to perform on provided datarecords while the client device is not communicatively coupled to thesecurity system: performing the requested operations on the provideddata records; and incrementing the second maintained count response toperforming the operations on the provided data records by a number equalto the number of operations performed on the provided data records; andresponsive to a determination that the sum of the second maintainedcount and the number of requested operations exceeds the secondthreshold, denying the request to perform operations on the provideddata records.
 7. A non-transitory computer-readable storage mediumstoring computer-executable instructions for data protection, theinstructions comprising instructions for: receiving a request at aclient device from a user for access to a set of one or more datarecords encrypted with an encryption key and stored in a databasecomprising at least a plurality of data records; accessing by the clientdevice a maintained count associated with the encryption key, themaintained count comprising a sum of database data records encryptedwith the encryption key accessed by the user while the client device isnot communicatively coupled to a security system, wherein the securitysystem is external to the client device; responsive to a determinationthat a sum of the maintained count and a number of records in therequested set of records does not exceed a threshold stored at theclient device, the threshold representing a number of records encryptedwith the encryption key that the user is authorized to access while theclient device is not communicatively coupled to the security system:decrypting the set of data records; providing the set of decrypted datarecords to the user; and incrementing the maintained count responsive toproviding the set of decrypted data records to the user by a numberequal to a number of records included in the provided set of decrypteddata records; and responsive to a determination that the sum of themaintained count and the number of records in the requested set ofrecords exceeds the threshold, denying the received request for accessto the set of data records.
 8. The non-transitory computer-readablestorage medium of claim 7, wherein denying the received requestcomprises prompting the user to connect the client device to thesecurity system.
 9. The non-transitory computer-readable storage mediumof claim 8, further comprising instructions for: receiving instructionsfrom the security system to reset the maintained count in response tothe establishment of a connection between the client device and thesecurity system; and resetting the maintained count in response to thereceived instructions.
 10. The non-transitory computer-readable storagemedium of claim 8, further comprising instructions for: receivinginstructions from the security system to modify the threshold inresponse to the establishment of a connection between the client deviceand the security system; and modifying the threshold in response to thereceived instructions.
 11. The non-transitory computer-readable storagemedium of claim 10, wherein the request is received via a network layer,and wherein the threshold is modified only for further requests receivedvia the network layer.
 12. The non-transitory computer-readable storagemedium of claim 7, further comprising instructions for: receiving arequest from the user to perform a number of operations on the provideddata records; accessing by the client device a second maintained countcomprising a number of operations the user has performed on accesseddata records while the client device is not communicatively coupled tothe security system; responsive to a determination that the sum of thesecond maintained count and the number of requested operations does notexceed a second threshold stored at the client device representing anumber of operations the user is authorized to perform on provided datarecords while the client device is not communicatively coupled to thesecurity system: performing the requested operations on the provideddata records; and incrementing the second maintained count response toperforming the operations on the provided data records by a number equalto the number of operations performed on the provided data records; andresponsive to a determination that the sum of the second maintainedcount and the number of requested operations exceeds the secondthreshold, denying the request to perform operations on the provideddata records.
 13. A system for data protection comprising: anon-transitory computer-readable storage medium storing executablecomputer instructions for: receiving a request at a client device from auser for access to a set of one or more data records encrypted with anencryption key and stored in a database comprising at least a pluralityof data records; accessing by the client device a maintained countassociated with the encryption key, the maintained count comprising asum of database data records encrypted with the encryption key accessedby the user while the client device is not communicatively coupled to asecurity system, wherein the security system is external to the clientdevice; responsive to a determination that a sum of the maintained countand a number of records in the requested set of records does not exceeda threshold stored at the client device, the threshold representing anumber of records encrypted with the encryption key that the user isauthorized to access while the client device is not communicativelycoupled to the security system: decrypting the set of data records;providing the set of decrypted data records to the user; andincrementing the maintained count responsive to providing the set ofdecrypted data records to the user by a number equal to a number ofrecords included in the provided set of decrypted data records; andresponsive to a determination that the sum of the maintained count andthe number of records in the requested set of records exceeds thethreshold, denying the received request for access to the set of datarecords; and a processor configured to execute the instructions.
 14. Thesystem of claim 13, wherein denying the received request comprisesprompting the user to connect the client device to the security system.15. The system of claim 14, the instructions further comprisinginstructions for: receiving instructions from the security system toreset the maintained count in response to the establishment of aconnection between the client device and the security system; andresetting the maintained count in response to the received instructions.16. The system of claim 14, the instructions further comprisinginstructions for: receiving instructions from the security system tomodify the threshold in response to the establishment of a connectionbetween the client device and the security system; and modifying thethreshold in response to the received instructions.
 17. The system ofclaim 16, wherein the request is received via a network layer, andwherein the threshold is modified only for further requests received viathe network layer.
 18. The system of claim 13, the instructions furthercomprising instructions for: receiving a request from the user toperform a number of operations on the provided data records; accessingby the client device a second maintained count comprising a number ofoperations the user has performed on accessed data records while theclient device is not communicatively coupled to the security system;responsive to a determination that the sum of the second maintainedcount and the number of requested operations does not exceed a secondthreshold stored at the client device representing a number ofoperations the user is authorized to perform on provided data recordswhile the client device is not communicatively coupled to the securitysystem: performing the requested operations on the provided datarecords; and incrementing the second maintained count response toperforming the operations on the provided data records by a number equalto the number of operations performed on the provided data records; andresponsive to a determination that the sum of the second maintainedcount and the number of requested operations exceeds the secondthreshold, denying the request to perform operations on the provideddata records.
 19. A computer-implemented method for data protectioncomprising: receiving a request at a client device from a user foraccess to a set of one or more protected data records stored in adatabase comprising at least a plurality of data records, the set ofprotected data records comprising encoded data records; accessing by theclient device a maintained count associated with the user, themaintained count comprising a sum of protected database data recordsaccessed by the user while the client device is not communicativelycoupled to a security system, wherein the security system is external tothe client device; responsive to a determination that a sum of themaintained count and a number of records in the requested set of recordsdoes not exceed a threshold stored at the client device, the thresholdrepresenting a number of protected records that the user is authorizedto access while the client device is not communicatively coupled to thesecurity system: decoding the set of data records; providing the set ofdecoded data records to the user; and incrementing the maintained countresponsive to providing the set of decoded data records to the user by anumber equal to a number of records included in the provided set ofdecoded data records; and responsive to a determination that the sum ofthe maintained count and the number of records in the requested set ofrecords exceeds the threshold, denying the received request for accessto the set of data records.